Stagefright

Discussion in 'Alternatives to iOS and iOS Devices' started by gotluck, Aug 5, 2015.

  1. gotluck macrumors 603

    gotluck

    Joined:
    Dec 8, 2011
    Location:
    East Central Florida
    #1
    just in case anyone cares... someone at Google has made a somewhat cryptic statement about stagefright, as far as actually using the exploit maliciously goes I suppose

    From
    http://www.androidcentral.com/stagefright-exploit-what-you-need-know


    Update: August 5
    Google addressed stagefright specifically, with lead engineer for Android security Adrian Ludwig stating to NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."

    This is very much at odds with the "900 million Android devices are vulnerable" line we have heard. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher have protection against a buffer overflow attack built in.

    ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).


    How's that for a mouthful?

    What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.

    This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.
     
  2. Shanghaichica macrumors 603

    Shanghaichica

    Joined:
    Apr 8, 2013
    Location:
    UK
    #2
    How is this different to the text message bug that effected iOS devices a few months ago?

    The one with the Arabic text?

    I understand that this exploit would be exacerbated by the difficulties in rolling out patches to non nexus devices.

    But in terms of the severity of the threat is it on the same level as the iOS one from a few months back?
     
  3. MRU macrumors demi-god

    MRU

    Joined:
    Aug 23, 2005
    Location:
    Other
    #3
    The iOS one basically locks your device / causes a reboot. The Android one could be used to exploit and gain access to content and potentially run further exploits I believe.
     
  4. gotluck thread starter macrumors 603

    gotluck

    Joined:
    Dec 8, 2011
    Location:
    East Central Florida
    #4
    I believe the severity of this exploit on android is more significant than iOS' similar bug yes
     
  5. epicrayban macrumors 603

    epicrayban

    Joined:
    Nov 7, 2014
    #5
    When will people see it for non-Nexus devices? That's the big question.
     
  6. Shanghaichica macrumors 603

    Shanghaichica

    Joined:
    Apr 8, 2013
    Location:
    UK
    #6
    Well apparently Samsung have already released a patch for some of their devices. They have stated that they will release security updates for their devices every month.

    I think I read somewhere that LG would also push out the update for their devices soon.

    I think now that it has got so much attention most of the big OEM's will respond appropriately with patches.
     
  7. Shanghaichica macrumors 603

    Shanghaichica

    Joined:
    Apr 8, 2013
    Location:
    UK
    #7
    Thanks. I can see the difference now :)
     

Share This Page